Identified a need to have more security, mainly within our laptop user base. After researching different options, I chose to go with BitLocker.

Team Members

Tagged MSPs

Categories

I ended up choosing BitLocker due to it's ease of use and already being built into the Windows platform. The biggest issue we had, however, was the fact that all of our laptops were using Windows 7 Professional (64-bit), which does NOT have BitLocker built in. To make matters worse, there is no upgrade path from Professional to Enterprise so this meant we'd need to include a re-image in the process at some point. Another major hurdle was the fact that not all of these laptops were locally available and some of the users were in anther location, meaning it'd have to be done via the network.

INITIAL TESTING
Started with some obvious first testing steps. In my sandbox environment, I imaged up a couple laptops (old non-production ones at first) to Windows Enterprise and then enabled BitLocker, just so I could get my hands dirty and figure out how everything worked, such as the TPM ownership, how long the process takes, what's still working or not working afterwards, etc... I slowly then started adding in more steps, such as creating OU's in Active Directory and then managing BitLocker via GPO. Once I was satisfied with the "basics" I decided to start looking at delivery methods.

IMAGING
I looked at several different imaging and deployment solutions. At the time, we were using Ghost to image our computers. While Ghost worked... it wasn't amazing and left a lot to be desired. Needing to create a different image for every hardware configuration was also a pain so it was time to find something better. Inevitably, I went with a combination of two options - SmartDeploy and Microsoft Deployment Toolkit / WDS. More on that later.

MDT/WDS
Admittedly, this was the most difficult step and I completely underestimated what this step would take at first. In a nutshell, the process went like this:

1. Created a server, Windows 2012 R2
2. Downloaded/installed MDT, WAIK, WDS on the server
3. Researched the heck out of MDT and image deployment
4. Talked to an expert (someone I found on this site!) for last minute advice
5. Set it all up

Seems simple, right? This step took a total of a couple months before it was both working 100% and completely usable for what I needed it to do. The main issues I ran into during this step were the drivers and then creating a super solid config for unattended deployments. Drivers being the more difficult of the two. Luckily I was able to find a handful of websites out there which made this a billion times easier, offering full driver packages for the platforms we used (Dell Latitudes and Precisions).

Some of the major benefits to using MDT:
1. The imaging process was able to work with our naming scheme of naming the laptops after their 4 digit asset number, which it pulled from BIO's (we preset this) then added required text, so the following was the result: WS1234
2. The biggest plus was the fact that you could enable BitLocker during the image deployment, saving the need for an additional step of doing it by hand later
3. Once I preloaded all of our machine sets, MDT would automatically determine the laptops hardware and installed required drivers correctly, which was huge
4. We were able to have the laptops automatically added the the domain then placed in the appropriate OU. Sounds silly but there are still imaging solutions out there which do not offer this.

Some of the downsides to using MDT:
1. It's easily the most complex and convoluted imaging solution I've ever used and it isn't even close. You could spend a week straight learning everything you can about MDT, then fire it up and instantly feel like a deer in headlights. Admittedly, it is probably WAY more complex than it needs to be.
2. There is a lot of maintenance once it is setup. This goes for most imaging solutions but especially with MDT.
3. The learning curve is enormous when compared to similar solutions.
4. You'll definitely want to have some networking skills prior to setting this up. Troubleshooting MDT/WDS without a solid knowledge of networking would have been a nightmare.

Ultimately, the process looks like this:

1. Machine is set to be reimaged, either manually or via the network.
2. Reimage begins, first by hitting the MDT server and initiating the process
3. OS is installed, added to AD, BitLocker is enabled and configured via GPO
4. Machine reboots after successful reimage and sits on the BitLocker pin entry screen.
5. Any files the user had on the old image are transferred over during the re-image process. Local Profile is configured via GPO.
6. Success!

This project was a beast but would have been made much easier by having the correct OS installed ahead of time, which would have eliminated over half of the time and the need to setup MDT (unless you wanted it for other reasons). Since this project, we have started to move away from MDT and instead opt for something much easier - SmartDeploy. The main reason for this move was the fact that MDT is extremely complex, making training on it for new staff a lengthy process. At the time, I was the only person in my position and unfortunately didn't have the time needed... so we opted for something our new staff could learn quickly and use with ease. I'd highly recommend SmartDeploy to anybody looking for an imaging solution.